Backing Up SID-histories?

[Teppo Tulppu]

We are planning to remove the SID -histories from users. Before doing that
we would very much like to back them up first.

I tried backing them with ldifde export, but it seems to import the
hexadecimal values incorrectly. Is there any way (switch) to get it work?
And can I import them back with ldifde, in case needed?

Or is there any handy tool for this?

BR
TT

 

[Joe Richards [MVP]]

Reading them and storing them is no problem. Putting them back is, you can't.
You can only recover them with an authoritative restore.

 

[Jorge_de_Almeida_Pinto]

We are planning to remove the SID -histories from users.
Before doing that
we would very much like to back them up first.

I tried backing them with ldifde export, but it seems to
import the
hexadecimal values incorrectly. Is there any way (switch) to
get it work?
And can I import them back with ldifde, in case needed?

Or is there any handy tool for this?

BR
TT

It is not that easy to backup SIDhistory values of users the way you
are trying to accomplish. As long as the source domain is available
you can assign sidhistory again to groups and users by using the clone
principal script from Microsoft or third party tooling. But if you
already removed the source environment/domain, that is another story.
To my knowledge it is not possible to inject SIDs into a sidhistory
field like any other attribute of a security principal.

My guess is the following should be the way to go for you:
* Re-ACL all data from source SIDs to target SIDs
* Cleanup sid history fields
* Everything OK? Cleanup/dismantle source domain